Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error when generating key/certificate pair using java keytool #14

Open
MaxFichtelmann opened this issue Oct 29, 2024 · 2 comments
Open
Assignees

Comments

@MaxFichtelmann
Copy link

The keytool command provided by openjdk installations can be used with a PKCS#11 driver.

A configuration file is needed which points to the pkcs11 driver (and a name)

library=/path/to/BouncyHsm.Pkcs11Lib-x64.so
name=bouncy-hsm

the command to the generate a new private key and corresponding self-signed certificate:

keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg java-pkcs11.cfg -genkey -keyalg RSA -keysize 2048 -dname cn=sample -alias sample-rsa

this fails with the following error message:

[12:33:51 INF] Executing operation CreateObject.
[12:33:51 ERR] Pkcs11 error during operation CreateObject with CKRV: CKR_ATTRIBUTE_VALUE_INVALID.
BouncyHsm.Core.Services.Contracts.RpcPkcs11Exception: Attribute CKA_SERIAL_NUMBER is not valid X509 Name in DER encoding.
 ---> System.ArgumentException: failed to construct integer from byte[]: unexpected end-of-contents marker
   at Org.BouncyCastle.Asn1.DerInteger.GetInstance(Object obj)
   at BouncyHsm.Core.Services.Contracts.Entities.CryptoObjectValueChecker.CheckDerInteger(CKA attributeType, Byte[] data, Boolean enableEmpty, Boolean mustByPositive)
   --- End of inner exception stack trace ---
   at BouncyHsm.Core.Services.Contracts.Entities.CryptoObjectValueChecker.CheckDerInteger(CKA attributeType, Byte[] data, Boolean enableEmpty, Boolean mustByPositive)
   at BouncyHsm.Core.Services.Contracts.Entities.X509CertificateObject.Validate()
   at BouncyHsm.Core.Services.P11Handlers.CreateObjectHandler.Handle(CreateObjectRequest request, CancellationToken cancellationToken)
   at BouncyHsm.Core.Rpc.RequestProcessor.ProcessRequestBody[TRequest,TResponse](IServiceProvider scopeProvider, String operation, ReadOnlyMemory`1 requestBody, Func`2 nonOkResponseFactory, ILogger logger, CancellationToken cancellationToken)

@harrison314 harrison314 self-assigned this Oct 29, 2024
@harrison314
Copy link
Owner

Thanks for reporting the bug.

I will need to replicate this. Which JDK version are you using? It is best if you write me the name of the package and the version.

@harrison314
Copy link
Owner

harrison314 commented Oct 29, 2024

@MaxFichtelmann try this build, it also logs the value of the problem attribute.
https://github.com/harrison314/BouncyHsm/actions/runs/11578823608

Edit:
Try version 1.1.1 https://github.com/harrison314/BouncyHsm/releases/tag/v1.1.1 with better logging,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants